This is a short guide on configuring Strongswan on Ubuntu 14.04 with pre-shared keys (PSK) for a Blackberry 10 device to connect with. Setting this up requires in-depth knowledge of networking and routing.
Install and configuring Strongswan:
sudo apt-get install strongswan
/etc/ipsec.conf
conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 authby=psk config setup cachecrls=yes uniqueids=yes conn default left=%any leftsubnet=10.7.100.0/24,192.168.0.0/24,0.0.0.0/0 leftauth=psk right=%any rightauth=psk rightsendcert=never rightsourceip=10.7.100.10/30 rightdns=8.8.8.8 auto=add
/etc/ipsec.secrets
%any %any : PSK "yourGatewayPassword" %any %any : PSK "yourUserPassword"
My server has one network interface connected to LAN and one interface connected directly to the internet. Both have internet routable gateways with the LAN gateway being the default. However, I will use the second interface for VPN connections so a second routing table is required for “same source routing” – allow internet traffic to respond through itself instead of routing through the LAN gateway by default. This may or may not be needed depending on the setup. The easier solution is to use the other gateway as default.
Configure same source routing:
sudo echo 2 ext >> /etc/iproute2/rt_tables
/etc/network/interfaces
# eth0/br0 config # ... auto eth1 iface eth1 inet dhcp # automatically set up routing table and rules on up and down post-up ip route add default via `grep routers /var/lib/dhcp/dhclient.eth1.leases | tail -1 | awk '/routers/ {print $3}' | sed 's/;//'` dev eth1 table ext post-up ip rule add from `grep fixed-address /var/lib/dhcp/dhclient.eth1.leases | tail -1 | awk '/fixed-address/ {print $2}' | sed 's/;//'` lookup ext post-down ip rule del lookup ext metric 10
sudo ifdown eth1 sudo ifup eth1
Configure Blackberry VPN profile:
Select General IKEv2 VPN server.
References:
1. Advanced routing – http://www.rjsystems.nl/en/2100-adv-routing.php
2. Strongswan setup – http://www.math.ucla.edu/~jimc/documents/strongswan-1308.html
3. Strongswan Forwarding and Split Tunnelling – https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling